WordPress Plugin Vulnerabilities

Ocean Extra < 2.4.7 - Unauthenticated Arbitrary Shortcode Execution

Description

The plugin is vulnerable to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

Affects Plugins

Plugin icon
ocean-extra
Fixed in 2.4.7

References

CVE
CVE-2025-3472
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/74428e76-1946-408f-8adc-24ab4b7e46c5

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
f75fc05d-d6d5-479b-b5b7-63e511e2a9a5

Timeline

Publicly Published
2025-04-21 (about 1 year ago)
Added
2025-04-22 (about 1 year ago)
Last Updated
2025-04-22 (about 1 year ago)

Other

Published
Title
Published
2024-06-20
Title
Consulting Elementor Widgets < 1.3.1 - Authenticated (Contributor+) Remote Code Execution
Published
2005-06-29
Title
WordPress <= 1.5.1.2 - XML-RPC Eval Injection
Published
2024-12-11
Title
SeedProd Pro < 6.18.14 - Authenticated (Editor+) Remote Code Execution
Published
2025-08-14
Title
Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call
Published
2022-02-21
Title
WPCargo < 6.9.0 - Unauthenticated RCE